From 31453a5469effff922a696f6afec3c19f75ec229 Mon Sep 17 00:00:00 2001
From: Martynas Pumputis <m@lambda.lt>
Date: Thu, 12 Jan 2023 16:28:21 +0100
Subject: [PATCH] install: Auto-enable BPF masquerade

By default, the BPF-based masquerading is disabled. Enable the feature
if the KPR=strict and a user haven't specified the helm's
"bpf.masquerade" option.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
---
 install/autodetect.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/install/autodetect.go b/install/autodetect.go
index 3a946d7447..5d11bca738 100644
--- a/install/autodetect.go
+++ b/install/autodetect.go
@@ -170,6 +170,7 @@ func (k *K8sInstaller) autodetectAndValidate(ctx context.Context) error {
 	}
 
 	k.autodetectKubeProxy(ctx)
+	k.autoEnableBPFMasq()
 	return nil
 }
 
@@ -236,5 +237,27 @@ func (k *K8sInstaller) autodetectKubeProxy(ctx context.Context) error {
 			fmt.Sprintf("k8sServiceHost=%s", apiServerHost),
 			fmt.Sprintf("k8sServicePort=%s", apiServerPort))
 	}
+
 	return nil
 }
+
+func (k *K8sInstaller) autoEnableBPFMasq() {
+	// Auto-enable BPF masquerading if KPR=strict
+	foundKPRStrict := k.params.KubeProxyReplacement == "strict"
+	foundMasq := false
+	for _, param := range k.params.HelmOpts.Values {
+		if !foundKPRStrict && param == "kubeProxyReplacement=strict" {
+			foundKPRStrict = true
+			continue
+		}
+		if strings.HasPrefix(param, "bpf.masquerade") {
+			foundMasq = true
+			break
+		}
+	}
+
+	if foundKPRStrict && !foundMasq {
+		k.params.HelmOpts.Values = append(k.params.HelmOpts.Values,
+			"bpf.masquerade=true")
+	}
+}